Microsoft Entra Verified ID went GA!

Back in 2018 Microsoft joined ID2020 alliance and started collaborating with Accenture and Avanade on a blockchain-based identity prototype for Azure. The intention was to give people means to identify them selves easily.

And finally Yesterday Microsoft released the final product!

Entra Verified ID

How does it work?

1. W3C Decentralized Identifiers (DIDs). IDs users create, own, and control independently of any organization or government. DIDs are globally unique identifiers linked to Decentralized Public Key Infrastructure (DPKI) metadata composed of JSON documents that contain public key material, authentication descriptors, and service endpoints.

2. Trust System. In order to be able to resolve DID documents, DIDs are typically recorded on an underlying network of some kind that represents a trust system. Microsoft currently supports two trust systems, which are:

  • ION (Identity Overlay Network) ION is a Layer 2 open, permissionless network based on the purely deterministic Sidetree protocol, which requires no special tokens, trusted validators, or other consensus mechanisms; the linear progression of Bitcoin’s time chain is all that’s required for its operation. We have open sourced a npm package to make working with the ION network easy to integrate into your apps and services. Libraries include creating a new DID, generating keys and anchoring your DID on the Bitcoin blockchain.
  • DID:Web is a permission based model that allows trust using a web domain’s existing reputation.

3. DID User Agent/Wallet: Microsoft Authenticator App. Enables real people to use decentralized identities and Verifiable Credentials. Authenticator creates DIDs, facilitates issuance and presentation requests for verifiable credentials and manages the backup of your DID’s seed through an encrypted wallet file.

4. Microsoft Resolver. An API that connects to our ION node to look up and resolve DIDs using the did:ion method and return the DID Document Object (DDO). The DDO includes DPKI metadata associated with the DID such as public keys and service endpoints.

5. Azure Active Directory Verified Credentials Service. An issuance and verification service in Azure and a REST API for W3C Verifiable Credentials that are signed with the did:ion method. They enable identity owners to generate, present, and verify claims. This forms the basis of trust between users of the systems.

Customer example


Customers can get started with Azure AD free and start using Entra Verified ID today.

Azure AD Premium license will be required for enterprise scale that has more than 50,00 transactions monthly.

If you are wondering what other limitations does Azure AD free and premiums have.

But when you get the premium version, you will also get more security features.

FeatureAzure AD Free – Security defaults (enabled for all users)Azure AD Free – Global Administrators onlyOffice 365Azure AD Premium P1Azure AD Premium P2
Protect Azure AD tenant admin accounts with MFA● (Azure AD Global Administrator accounts only)
Mobile app as a second factor
Phone call as a second factor
SMS as a second factor
Admin control over verification methods
Fraud alert
MFA Reports
Custom greetings for phone calls
Custom caller ID for phone calls
Trusted IPs
Remember MFA for trusted devices
MFA for on-premises applications
Conditional access
Risk-based conditional access
Identity Protection (Risky sign-ins, risky users)
Access Reviews
Entitlements Management
Privileged Identity Management (PIM), just-in-time access


Scripted approach


Create a Service Principal

Connect to to Azure AD with Connect-AzAccount -TenantId switch

If You will use Connect-AzAccount with out any switches, You will get an warning.

Or You can check the Application from Enterprise applications.

Create a key Vault

You can create the Key vault with the following command

And then You can see it inside Your portal.


You can add the permissions with the following.

Then You can see the permissions inside the Key vault.

App registration

App registration permissions

Add permissions to the App for the API created in the earlier steps.

And grant admin consent.

And done.

Set up Verified ID


Create a storage account

You can create a storage account with PowerShell.

Create container under Storage account

Remove public access from Storage Account

The GUI way

And rest of the setup

Create configuration files

Azure AD Verifiable Credentials uses two JSON configuration files, the rules file and the display file.

  • The rules file describes important properties of verifiable credentials. In particular, it describes the claims that subjects (users) need to provide before a verifiable credential is issued for them.
  • The display file controls the branding of the credential and styling of the claims.

Create two files, first one VerifiedCredentialExpertDisplay.json

And the second one VerifiedCredentialExpertRules.json

Upload the configuration files

Open the container You created earlier and upload the json files

And done.

Creating Verified ID’s

Search for Verifiable and open Credentials, then Create.

Select the files that we just uploaded.

And done.

Final thoughts

With Verifiable credentials you will be able to provide other proof of Your identity like passport, driving license, work agreement or even a school diploma.

Verified ID gives a new options to verify your self with other means than only your username, happy days!

Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *